Merge pull request kubernetes#130028 from AkihiroSuda/subids-per-pod

kubelet: config: add userNamespaces.idsPerPod

Author: k8s-ci-robot

api/api-rules/violation_exceptions.list

@@ -261,6 +261,7 @@ API rule violation: names_match,k8s.io/kube-proxy/config/v1alpha1,KubeProxyConfi
 API rule violation: names_match,k8s.io/kubelet/config/v1beta1,KubeletConfiguration,IPTablesDropBit
 API rule violation: names_match,k8s.io/kubelet/config/v1beta1,KubeletConfiguration,IPTablesMasqueradeBit
 API rule violation: names_match,k8s.io/kubelet/config/v1beta1,KubeletConfiguration,ResolverConfig
+API rule violation: names_match,k8s.io/kubelet/config/v1beta1,UserNamespaces,IDsPerPod
 API rule violation: names_match,k8s.io/metrics/pkg/apis/custom_metrics/v1beta1,MetricValue,WindowSeconds
 API rule violation: names_match,k8s.io/metrics/pkg/apis/external_metrics/v1beta1,ExternalMetricValue,WindowSeconds
 API rule violation: streaming_list_type_proto_tags,k8s.io/apimachinery/pkg/apis/meta/v1beta1,PartialObjectMetadataList,Items

pkg/generated/openapi/zz_generated.openapi.go

@@ -306,5 +306,6 @@ var (
 		"LocalStorageCapacityIsolation",
 		"FailCgroupV1",
 		"CrashLoopBackOff.MaxContainerRestartPeriod",
+		"UserNamespaces.IDsPerPod",
 	)
 )

pkg/kubelet/apis/config/helpers_test.go

@@ -541,6 +541,11 @@ type KubeletConfiguration struct {
 	// +featureGate=KubeletCrashLoopBackoffMax
 	// +optional
 	CrashLoopBackOff CrashLoopBackOffConfig
+
+	// UserNamespaces contains User Namespace configurations.
+	// +featureGate=UserNamespaceSupport
+	// +optional
+	UserNamespaces *UserNamespaces
 }
 
 // KubeletAuthorizationMode denotes the authorization mode for the kubelet
@@ -878,3 +883,17 @@ type ImagePullSecret struct {
 	// content of the secret specified by the UID/Namespace/Name coordinates.
 	CredentialHash string
 }
+
+// UserNamespaces contains User Namespace configurations.
+type UserNamespaces struct {
+	// IDsPerPod is the mapping length of UIDs and GIDs.
+	// The length must be a multiple of 65536, and must be less than 1<<32.
+	// On non-linux such as windows, only null / absent is allowed.
+	//
+	// Changing the value may require recreating all containers on the node.
+	//
+	// Default: 65536
+	// +featureGate=UserNamespaceSupport
+	// +optional
+	IDsPerPod *int64
+}

pkg/kubelet/apis/config/types.go

@@ -21,12 +21,15 @@ package validation
 
 import (
 	"fmt"
+	"math"
 
 	libcontainercgroups "github.com/opencontainers/cgroups"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/utils/ptr"
 )
 
+const userNsUnitLength = 65536
+
 // validateKubeletOSConfiguration validates os specific kubelet configuration and returns an error if it is invalid.
 func validateKubeletOSConfiguration(kc *kubeletconfig.KubeletConfiguration) error {
 	isCgroup1 := !libcontainercgroups.IsCgroup2UnifiedMode()
@@ -38,5 +41,20 @@ func validateKubeletOSConfiguration(kc *kubeletconfig.KubeletConfiguration) erro
 		return fmt.Errorf("invalid configuration: singleProcessOOMKill must not be explicitly set to false when using cgroup v1")
 	}
 
+	if userNs := kc.UserNamespaces; userNs != nil {
+		if idsPerPod := userNs.IDsPerPod; idsPerPod != nil {
+			if *idsPerPod < userNsUnitLength {
+				return fmt.Errorf("invalid configuration: userNamespaces.idsPerPod must not be less than %d", userNsUnitLength)
+			}
+			if *idsPerPod%userNsUnitLength != 0 {
+				return fmt.Errorf("invalid configuration: userNamespaces.idsPerPod must be a multiple of %d", userNsUnitLength)
+			}
+			if *idsPerPod > math.MaxUint32 {
+				// int64() is needed for 32-bit targets
+				return fmt.Errorf("invalid configuration: userNamespaces.idsPerPod must not be more than %d", int64(math.MaxUint32))
+			}
+		}
+	}
+
 	return nil
 }

pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go

@@ -31,5 +31,9 @@ func validateKubeletOSConfiguration(kc *kubeletconfig.KubeletConfiguration) erro
 		return fmt.Errorf("invalid configuration: singleProcessOOMKill is only supported on linux")
 	}
 
+	if kc.UserNamespaces != nil {
+		return fmt.Errorf("invalid configuration: userNamespaces is only supported on linux")
+	}
+
 	return nil
 }

pkg/kubelet/apis/config/validation/validation_linux.go

@@ -46,5 +46,9 @@ func validateKubeletOSConfiguration(kc *kubeletconfig.KubeletConfiguration) erro
 		klog.Warningf(message, "EnforceNodeAllocatable", "--enforce-node-allocatable", kc.EnforceNodeAllocatable)
 	}
 
+	if kc.UserNamespaces != nil {
+		return fmt.Errorf("invalid configuration: userNamespaces is not supported on Windows")
+	}
+
 	return nil
 }

pkg/kubelet/apis/config/validation/validation_others.go

@@ -30,4 +30,5 @@ const (
 	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
 	KubeletContainersSharedSELinuxLabel      = "system_u:object_r:container_file_t:s0"
 	DefaultKubeletCheckpointsDirName         = "checkpoints"
+	DefaultKubeletUserNamespacesIDsPerPod    = 65536
 )